Bacros
Virus.Win32.Bacros.a or Bacros is a virus on Microsoft Windows that infects local filesystem files by renaming all .TXT files to .EXE files. It can also copy itself in floppies and CD-ROMs. The virus also drops and executes a Word Macro virus W97M/Bacros.A. Payload The binary virus is written in Borland Delphi and its body size is 356 KB. Both the binary and the macro parts are designed to work together but they can replicate independently. Typical symptom for end users is that they find some of their images being replaced with a picture that says "KUOLE JEHOVA". It was found in the wild in the beginning of September 2004. Installation to Systems If run without arguments, for example by double-clicking on it, it installs itself to the system. First it makes three copies of itself in Windows system directory: %WinSysDir%\mssys.exe %WinSysDir%\sys.exe %WinSysDir%\msdosdrv.exe Then it adds the following keys in registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run "MSSys" = "%WinSysDir%\mssys.exe -d" HKCU\Software\Microsoft\Windows\CurrentVersion\Run "MSDosdrv" = "%WinSysDir%\msdosdrv.exe -t" With these registry keys, the virus is activated in the next boot. The program behaves differently depending on the argument (-d or -t). It also tries to display a text file with the name of the binary (for example, if the binary name is "tiedotteet.exe", text file it tries to display is "tiedotteet.txt"). If the text file doesn't exist, the binary displays a text file that contains the filename of the virus repeated several times. Writing the Word Documents When run via the registry with argument -t (MSDosdrv), the program drops a Word document infected with W97M/Bacros.A virus in two places: to user's personal documents folder and in %SystemRoot% folder with the name "WordInfo.doc". It also disables the macro virus protection in the registry. Spreading in Word Documents When run via the registry with argument -d (MSSys), the program check the date of the system. If the day of the month is 10th, 20th or 30th, the virus tries to open the infected with W97M/Bacros.A file: %SystemRoot%\WordInfo.doc This macro virus replicated during opening and closing documents. It resides in a macro called 'NewBacros' and uses Organizer Copy method to replicate. It infects Notmal.Dot and also creates a copy of itself in Normal.Doc in MS Word's template folder. If the day of the month is 6th it types the text: I, Madman and changes the application user name to: ANCIENT In an attempt to spread the binary part with itself to floppies, W97M/Bacros.A tries to copy the binary virus from 'C:\Windows\System\sys.exe' to the root of A: drive as ReadMy.exe. It does this when the macro virus is executed from the A: drive. Spreading in CD-ROMs If the day of the month is any other day, it tries to copy itself on CD-ROM drive with the name "ReadMy.exe". It also writes an Autorun.inf file on CD-ROM for automatic execution of the file. The program checks for the drive ID (CDROM) so it won't work with other removable devices such as USB sticks. CD-ROM writing works only if the machine has packet-writing capabilities, for example Nero InCD. Renaming Text Files If it is the 2nd of any month, the virus scans through all local disk drives and makes a copy of itself with the name of every text file (.txt) it finds. The icon of these .EXE files looks like the default icon of a TXT file. Replacing Picture Files If the day of the month is 1st, the virus scans through all local disk drives and replaces all gif-files it finds with a small gif-file saying "Kuole Jehova". It's in Finnish and means "Die Jehova". Changing the Background Picture If the date is December 6th (Finland's Independence Day), the virus sets a small Finland flag as a background picture of the system. It is only visible if the Active Desktop is disabled, otherwise it will only show when the computer is logged off in which Active Desktop terminates. Deleting Files If the date is December 25th (Christmas Day), the virus deletes all files on all local hard drives. Media Category:Virus Category:Win32 virus Category:Win32 Category:Billion dollar damage